b'                Office of Forensic Auditing, Evaluation and Analysis\n                Office of Inspector General\n                U.S. General Services Administration\n\n\n\n\nINSPECTION REPORT\nSecurity Vulnerabilities \xe2\x80\x93 Protecting\nInformation and Property in the GSA Central\nOffice Open Space\n\nReport Number: JE15-001\nOctober 16, 2014\n\x0c                                  REPORT ABSTRACT\n\nOBJECTIVE\nOur objective was to          Security Vulnerabilities \xe2\x80\x93 Protecting Information\nidentify weaknesses in the   and Property in the GSA Central Office Open Space\nphysical security of                            Report Number: JE15-001\nsensitive information and\nhighly pilferable\n                                                    October 16, 2014\ngovernment-furnished\npersonal property in the     What We Found\nopen office space at the     We identified the following during our inspection:\nGSA Central Office.\n                             1. Physical control weaknesses in securing sensitive information\n                                covered by the Privacy Act (5 U.S.C. \xc2\xa7 552a) and the Trade\n                                Secrets Act (18 U.S.C. \xc2\xa7 1905).\n                             2. Physical control weaknesses in securing highly pilferable\n                                government-furnished personal property.\n                             What We Recommend\n                             Based on our findings we recommend GSA supervisors and\n                             managers:\n\n                             1. Enforce GSA policies and procedures for the safeguarding of\n                                Personally Identifiable Information, other sensitive\n                                information, and highly pilferable government-furnished\n                                personal property.\n                             2. Routinely monitor for security compliance by both employees\n                                and contractors.\n                             3. Assess the adequacy of secure storage space available to meet\n                                employee and contractor needs.\nOffice of Forensic           Management Comments\nAuditing, Evaluation and\nAnalysis (JE)                The Chief of Staff concurred with our recommendations and\n1800 F Street, NW,           launched a campaign educating employees of the associated policies\nSuite 5013                   and procedures. Management\xe2\x80\x99s comments can be found in their\nWashington, DC 20405         entirety in Appendix B.\n202-273-4989\n\n\n\n\n                                               i\n   JE15-001\n\x0c                 U.S. General Services Administration\n                 Office of Inspector General\n\n\n\nDATE:               October 16, 2014\n\nTO:                 ADAM NEUFELD\n                    Chief of Staff (AC)\n\n\nFROM:               PATRICIA D. SHEEHAN\n                    Director\n                    Office of Forensic Auditing, Evaluation and Analysis (JE)\n\nSUBJECT:            Inspection Report\n                    Security Vulnerabilities \xe2\x80\x93 Protecting Information and Property in the GSA\n                    Central Office Open Space\n                    Report Number: JE15-001\n\nThis report presents the results of our inspection of the GSA Central Office conducted on July\n30, 2014. Our findings and recommendations are summarized in the Report Abstract.\nInstructions regarding the resolution process can be found in the email that transmitted this\nreport.\n\nYour written comments to the draft report are included in Appendix B of this report.\n\nIf you have any questions regarding this report, please contact me or any member of the Inspection\nteam at the following:\n\n Patricia Sheehan         Director              Patricia.Sheehan@gsaig.gov 202-273-4989\n Natalie Granito          Auditor               Natalie.Granito@gsaig.gov  202-273-7267\n Rashawna Chapman         Management            Rashawna.Chapman@gsaig.gov 202-273-7252\n                          Analyst\n Gabrielle Perret         Management            Gabrielle.Perret@gsaig.gov          202-273-7268\n                          Analyst\n\nOn behalf of the inspection team, I would like to thank you and your staff for your assistance during\nthis inspection.\n\n\n\n\n                                                 ii\nJE15-001\n\x0cRESULTS IN BRIEF\n\nOn July 30, 2014, the OIG Office of Forensic Auditing, Evaluation and Analysis conducted an\nafter-hours limited inspection of the open office space at the General Services Administration\n(GSA) Central Office. The inspection identified physical control weaknesses in securing\nsensitive information covered by the Privacy Act (5 U.S.C. \xc2\xa7 552a) and the Trade Secrets Act\n(18 U.S.C. \xc2\xa7 1905), as well as physical control weaknesses in securing highly pilferable\ngovernment-furnished personal property.\n\nThe inspection of the GSA Central Office open space found numerous incidences of unsecured\nPersonally Identifiable Information (PII) 1 and other sensitive information. 2 The inspection found\nan unsecured HSPD-12 PIV card, sensitive contract files, architectural drawings marked\n\xe2\x80\x9cSENSITIVE BUT UNCLASSIFIED,\xe2\x80\x9d unlocked file cabinets containing sensitive information, a\ncombination code for a bay of personal lockers that was left directly on top of those lockers, and\na door cipher lock combination taped to the back of the door. The inspection also found valuable\nproperty that was unsecured, including laptops and other electronics.\n\nThis report discusses the results of the OIG\xe2\x80\x99s inspection of the GSA Central Office, and\nrecommends that GSA managers and supervisors: (1) enforce GSA policies and procedures for\nthe safeguarding of PII, other sensitive information, and highly pilferable government-furnished\npersonal property; (2) routinely monitor for security compliance by both employees and\ncontractors; and (3) assess the adequacy of secure storage space available to meet employee and\ncontractor needs.\n\nBACKGROUND\n\nThe GSA Central Office renovation Phase I, completed for employee reoccupation in 2013,\ncreated an open space work environment that eliminated traditional office doors and cubicles in\nfavor of a desk and conference room reservation system with few permanent desk assignments.\nGSA\xe2\x80\x99s traditional office space was previously secured by office suites with locked doors. The\nopen workspace has created a new environment in which employees now have open-concept\noffices with \xe2\x80\x9chotel desks\xe2\x80\x9d 3 that feature personal lockers and locking file cabinets. The transition\nto a more collaborative workspace has increased security risks for vulnerable assets and sensitive\n\n\n1\n  Personally Identifiable Information (PII), as defined in OMB Memorandum M-07-16, refers to information that can be used to\ndistinguish or trace an individual\xe2\x80\x99s identity, either alone or when combined with other personal or identifying information that is\nlinked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or\ntechnology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.\n2\n  For the purposes of this report, \xe2\x80\x9csensitive information\xe2\x80\x9d is any information GSA has determined requires some degree of\nheightened protection from unauthorized access, use, disclosure, disruption, modification, or destruction because of the nature of\nthe information, e.g., personal information required to be protected by the Privacy Act of 1974, proprietary commercial\ninformation, information critical to agency program activities, and information that has been or may be determined to be exempt\nfrom public release under the Freedom of Information Act.\n3\n For this report we define hotel desks in accordance with GSA\xe2\x80\x99s Successful Hoteling: GSA\xe2\x80\x99s 10 Tips as \xe2\x80\x9cHoteling is the office\nmanagement strategy that considers certain office resources, such as workspaces and equipment, to be shared assets, rather than\nassets \xe2\x80\x98owned\xe2\x80\x99 by specific individuals within an organization\xe2\x80\xa6.Hoteling is typically characterized by reservation and check-in\nprocesses.\xe2\x80\x9d http://www.gsa.gov/graphics/admin/Successful-Hoteling-Tips_Final.pdf, retrieved September 8, 2014.\n\n\n                                                                 1\nJE15-001\n\x0cinformation as GSA employees adjust to taking new steps to physically secure property and\ninformation in their personal workspaces.\n\nIn addition to the many GSA directives that broadly address controls to protect property and\nsensitive information, 4 GSA has also communicated specific guidance to address the new open\noffice space through a blog series of frequently asked questions targeting issues employees may\nexperience during the transition. 5 These blog entries discussed a variety of security issues in the\nnew open office environment, including:\n\n            Employees working on sensitive material or information will have to be diligent about\n            monitoring their environment and securing information as necessary. Materials can be\n            secured in shared filing cabinets, in employee personal storage, or for a short period, in\n            the locking peds 6 that are at the workstation.\n\nFurthermore, GSA\xe2\x80\x99s intranet site contains a training presentation entitled, \xe2\x80\x9cGSA Central Office,\nOffice of Theft Prevention Training, June 2014, Crime Prevention Tips,\xe2\x80\x9d with suggestions for\nreducing the potential for theft in the workplace. The training emphasizes precautions all\nemployees and contractors could take to prevent burglary, theft, or vandalism, such as:\n\n            \xe2\x80\xa2    Lock all offices, conference rooms, or storage rooms that are regularly unoccupied.\n            \xe2\x80\xa2    If you are the last to leave at night, secure all computer systems, critical files, and\n                 copiers.\n            \xe2\x80\xa2    When employees must work before or after business hours they should keep their\n                 doors locked.\n\nMoreover, GSA employees and contractors are required to take annual training, \xe2\x80\x9cIT Security\nAwareness and Privacy 101 Training,\xe2\x80\x9d that highlights requirements for protecting PII. Finally,\nwhen using GSA\xe2\x80\x99s collaborative work system, users are required to acknowledge their\nresponsibility to safeguard GSA property and information by agreeing to:\n\n            \xe2\x80\xa2    Protect and conserve Government resources and assets from theft, destruction and use\n                 for other than authorized purposes.\n            \xe2\x80\xa2    Physically secure highly pilferable and/or sensitive items that are in their custody\n                 when their office spaces or buildings are unoccupied.\n            \xe2\x80\xa2    Employ locking devices or put highly pilferable or sensitive items in a secure place\n                 while teleworking and while on travel.\n            \xe2\x80\xa2    Promptly report the loss, theft, damage, or disappearance of property to their\n                 immediate supervisor. 7\n\n4\n GSA directives applicable to protection of property and sensitive information include, but are not limited to: GSA Order\n2104.1A CIO, GSA Information Technology (IT) General Rules of Behavior; GSA Order 2180.1 HCO, Rules of Behavior for\nHandling Personally Identifiable Information (PII); and GSA Order 7800.12 ADM, Management of the U.S. General Services\nAdministration\xe2\x80\x99s (GSA) Internal Personal Property.\n5\n    \xe2\x80\x9cCountdown to Downtown, 1800 F Making Our Move,\xe2\x80\x9d retrieved from GSA\xe2\x80\x99s intranet site, InSite, July 23, 2014.\n6\n    \xe2\x80\x9cPeds\xe2\x80\x9d are short for mobile pedestal filing cabinets on wheels, often used for under desk storage.\n7\n  \xe2\x80\x9cEmployee Accountability for GSA Property,\xe2\x80\x9d and \xe2\x80\x9cAccountability for GSA Personal Property,\xe2\x80\x9d certification items (1)(a)\nthrough (d), retrieved from GSA\xe2\x80\x99s cloud computing environment, August 1, 2014.\n\n                                                                   2\nJE15-001\n\x0cFINDINGS\n\nUNSECURED SENSITIVE DOCUMENTS\nDuring the inspection, we observed and documented unlocked personal lockers, drawers, and\nshared file cabinets that contained PII and other sensitive information. We found unsecured\ncontract files, some containing source selection information marked with strict control\ndesignations, as well as personnel and training forms containing PII, a certification of an\nemployee\xe2\x80\x99s background investigation, and employee performance appraisals.\n\n\n\n\n                                           `\n\n\n    Figure 1: Documents such as this\n    labeled \xe2\x80\x9cTechnical Evaluation\n    Board,\xe2\x80\x9d \xe2\x80\x9cSOURCE SELECTION\n    INFORMATION,\xe2\x80\x9d and \xe2\x80\x9cDO NOT\n    RELEASE\xe2\x80\x9d were found in\n    unsecured drawers.\n\n\n\n\nWe also found keys to cabinets stowed in open personal drawers, allowing anyone to easily gain\naccess to other secured cabinets which could potentially leave more documents vulnerable.\n\nNumerous documents containing PII, such as employee personnel documents, travel vouchers,\nand Authorization, Agreement and Certification of Training (SF-182) forms were found on top of\ndesk surfaces in plain sight.\n\n\n\n\n                                               3\nJE15-001\n\x0c      Figure 2: This folder, labeled\n      \xe2\x80\x9cCONFIDENTIAL \xe2\x80\x93 OPEN\n      BY ADDRESSEE ONLY,\xe2\x80\x9d was\n      found on top of a desk drawer\n      along with other documents.\n      The folder\xe2\x80\x99s seal was broken\n      and contained sensitive\n      employee performance reviews\n      and assessments.\n\n\n\n\nOther sensitive documents were stacked on top of shared working areas. These items contained\neither PII or other sensitive information. For example, architectural drawings for courthouses and\nother federal buildings were left unsecured on large tables. These architectural drawings\nexplicitly stated that the information was \xe2\x80\x9cSENSITIVE BUT UNCLASSIFIED.\xe2\x80\x9d Furthermore,\nthe cabinets designed specifically for holding these large documents did not have locks. In\nanother instance, the combination code for a bay of personal lockers was left directly on top of\nthose lockers. When tested, the combination opened several lockers, one of which contained PII.\n\n\n    Figure 3:\n    Architectural\n    drawings, marked\n    with strict control\n    designations, were left\n    on top of tables.\n    Many were drawings\n    of federal buildings\n    such as courthouses.\n\n\n\n\nThe inspection team also found two documents containing employee PII, such as name, address,\nSocial Security number, and phone number, in a shared supply center. One document was found\nin a printer tray, while the other was stacked in a tray designated for printing jobs that had not\nbeen retrieved. GSA Rules of Behavior for Handling Personally Identifiable Information (PII)\nexplicitly states \xe2\x80\x9cDon\xe2\x80\x99t let PII documents sit on a printer where unauthorized employees or\ncontractors can have access to the information.\xe2\x80\x9d 8\n\n\n8\n    GSA Order 2180.1 HCO, GSA Rules of Behavior for Handling Personally Identifiable Information (PII) section (7)(i).\n\n                                                                4\nJE15-001\n\x0cThe GSA Information Technology (IT) Security Policy (CIO P 2100.1I) requires employees to\nreport incidents of unsecured documents containing PII to an information security officer, or\nother proper authorities. After our physical inspection, we contacted the GSA Privacy Officer to\ninquire about employee reports of PII breaches at the GSA Central Office. We were advised of\none reported breach within the last year.\n\nDuring the inspection, items that were sensitive and unsecurable were removed, and a notice was\nleft stating, \xe2\x80\x9cWe identified unsecured sensitive information. Due to the sensitive nature of this\ninformation, we have taken possession of it to secure its privacy,\xe2\x80\x9d and included our contact\ninformation for retrieval. Many employees who contacted our office to retrieve these unsecured\nsensitive items had no knowledge of exactly what items were taken from their work spaces.\nSome items have yet to be claimed.\n\nUNSECURED HIGHLY PILFERABLE PERSONAL PROPERTY\nDuring our inspection, an HSPD-12 PIV card was found in an unsecured drawer. The badge\nbelonged to a former GSA contractor. We tested the badge on the security turnstile and found it\nto be active. An active HSPD-12 PIV permits unrestricted physical access to the GSA Central\nOffice building, and potentially any federal building. This indicates inadequate security over\nHSPD-12 processing and raises further questions as to GSA\xe2\x80\x99s procedures for confiscating or\ndeactivating HSPD-12 cards that should no longer be in use. As of the date of this report, no one\nhas contacted the OIG to claim the badge, and the building security office has advised that there\nhave been no reports of this HSPD-12 card being missing, lost, or stolen. The OIG is currently\naddressing this issue through the ongoing review, Evaluation of Controls over HSPD-12\nIssuance and Destruction for Contractors.\n\n\n\n  Figure 4: This HSPD-12 PIV\n  card was found in an\n  unsecured drawer.\n\n\n\n\nIn addition, we found a GSA issued laptop that was left on top of a bay of lockers. During the\ninspection, we were unable to determine which employee it was assigned to, or which locker it\nshould have been secured in. Consequently, we took possession of it, and inventoried it with the\nother items that we secured.\n\nThe owner contacted us and was able to pick it up the next day. Upon retrieving the confiscated\nlaptop, the employee explained that both personal possessions and GSA property did not fit into\nan assigned locker; therefore, the employee had decided to secure personal belongings (several\n\n\n                                                5\nJE15-001\n\x0cpairs of shoes) in the locker rather than the GSA laptop. An assessment of the adequacy of secure\nstorage space at the GSA Central Office is needed.\n\n\n\n\n      Figure 5: This laptop\n      was left unsecured on top\n      of a bay of lockers.\n\n\n\n\nMany supplies and high-value electronics, such as portable laminate machines and projectors \xe2\x80\x93\neach valued up to $1,000 \xe2\x80\x93 were found in unlocked closets and were vulnerable to theft.\nAdditionally, we found unsecured laptops in open drawers at multiple peds.\n\n\n\n\n      Figure 6: Two laptops were found in\n      an unlocked drawer. These items\n      were secured in place by the OIG\n      inspectors.\n\n\n\n\nThroughout the inspection we observed that supply centers and their related inventory, such as\ntoner cartridges, were accessible after-hours, increasing the risk of theft. Cabinets in the supply\ncenters were easily securable; however, keys were left in their corresponding cabinet locks. We\ncontacted Federal Protective Services (FPS) to determine if there were any reported thefts since\nthe transition into the new shared open office space. FPS advised that in the last year there were\nfive reported thefts at the GSA Central Office, two of which were thefts of GSA property.\n\n\n\n                                                 6\nJE15-001\n\x0cCONCLUSION\n\nGSA requires and provides training and guidance to address physical security risks to its\nemployees and contractors. However, the lack of due diligence in safeguarding PII, other\nsensitive information, and highly pilferable government-furnished personal property, leaves GSA\nvulnerable to potential threats. As a result of this inspection, the agency has since publicized\nnumerous security reminders in poster displays, emails, and blogs.\n\nRECOMMENDATIONS\n\n   1. GSA supervisors and managers should enforce GSA policies and procedures for the\n      safeguarding of PII, other sensitive information, and highly pilferable government-\n      furnished personal property.\n\n   2. GSA supervisors and managers should routinely monitor for security compliance by both\n      employees and contractors.\n\n   3. GSA supervisors and managers should assess the adequacy of secure storage space\n      available to meet employee and contractor needs.\n\n\n\n\n                                               7\nJE15-001\n\x0cAPPENDIX A \xe2\x80\x93 OBJECTIVE SCOPE AND METHODOLOGY\n\nThe Office of Forensic Auditing, Evaluation and Analysis performed an unannounced after-\nhours building inspection of shared open space to identify weaknesses in the physical security of\nsensitive information and highly pilferable government-furnished personal property. The\ninspection was conducted in the newly renovated 1800 F GSA building on Wednesday July 30,\n2014 between the hours of 7:00 p.m. and 11:00 p.m. EST. The searches we performed for this\ninspection were limited to the Central Office located at 1800 F Street, NW, Washington, D.C.\n\nWe conducted this inspection in accordance with Quality Standards for Inspection and\nEvaluation developed by the Council of the Inspectors General on Integrity and Efficiency. In\naccordance with those standards, we planned and performed the inspection to collect sufficient,\nrelevant evidence to provide a reasonable basis for our findings, conclusions, and\nrecommendations.\n\nIn order to accomplish the objective, we subjectively selected workstations, office storage, and\noffice rooms in the open work space, including supply centers and conference rooms, to perform\ntargeted searches for: (1) unsecured highly pilferable government-furnished personal property\n(such as laptops and other electronics); and (2) unprotected sensitive information, including PII.\n\nTo perform our test work of certain physical controls over the security of vulnerable assets and\nsensitive information, we performed a subjective search of GSA open work space. We\nsubjectively selected floors and areas to search, from the basement level to the 7th floor. In order\nto discover instances of unsecured sensitive information and highly pilferable government\nfurnished property, we conducted the following steps:\n\n   \xe2\x80\xa2   Tested for unlocked cabinets/safes/lockers;\n          o Inspected contents of unlocked cabinets/safes/lockers;\n   \xe2\x80\xa2   Probed for unlocked computer screen access;\n   \xe2\x80\xa2   Searched personal workspaces, supply centers, trash bins, recycle bins, closets, and\n       countertops;\n   \xe2\x80\xa2   Scanned for keys and lock combinations, and;\n   \xe2\x80\xa2   Tested for unlocked offices.\n\nWhen unsecured sensitive documentation was encountered, we used our professional judgment\nto determine whether it required our removal and safeguarding. If sensitive business documents\nwere found in lockable cabinets, we locked the cabinets and confiscated the keys to secure them.\nExamples of criteria used to confiscate or secure documents included:\n\n   \xe2\x80\xa2   Social Security numbers combined with names, addresses, or other personal information.\n   \xe2\x80\xa2   Documents marked Limited Official Use Only (LOUO), sensitive, For Limited Use Only,\n       Sensitive but Unclassified, Do Not Release, Do Not Distribute, etc.\n\nWhen we encountered unsecured highly pilferable valuable property, we used our professional\njudgment to determine whether it required our removal and safeguarding. If highly pilferable\n\n\n                                                 8\nJE15-001\n\x0cvaluable property was found in lockers, we secured it by locking it in the passcode-protected\nelectronic lockers.\n\nFor all instances when unsecured sensitive information or highly pilferable personal property\nwas removed for safeguarding, as well as all instances when cabinet keys were confiscated, a\nnotice was left at the workspace detailing our action. The notice stated that we had taken\npossession of the sensitive information to secure its privacy, and included OIG contact\ninformation for retrieval.\n\nBecause we were unable to remove and safeguard all items documented during the inspection, a\nmemorandum was issued on July 31, 2014 to the Central Office building services manager\ndescribing the conditions found and recommending GSA take all necessary action to ensure\nsensitive information is physically protected in the Central Office open space. 9\n\nAll of our findings are based on observation during our inspection work performed on July 30,\n2014. We documented all of our evidence with photographs and detailed descriptions of our\nfindings on each floor. All evidence was approved by the Director of Office of Forensic\nAuditing, Evaluation and Analysis, who was onsite to supervise the work for the entire span of\nthe inspection. All evidence seized was catalogued for return to its owners. Because of the\njudgmental nature of the work performed for this inspection, we cannot generalize our results to\nany other locations or points in time.\n\n\n\n\n9\n Office of Forensic Auditing, Evaluation and Analysis Memorandum, \xe2\x80\x9cGSA Central Office Physical Controls Over Sensitive\nInformation,\xe2\x80\x9d July 31, 2014.\n\n                                                            9\nJE15-001\n\x0cAPPENDIX B \xe2\x80\x93 MANAGEMENT COMMENTS\n\n\n\n\n                                   10\nJE15-001\n\x0c           11\nJE15-001\n\x0c'